Slashdot Mirror
White House To Drop Details of Cyber ID On Tax Day
BeatTheChip writes "Dept. of Commerce Scry. Gary Locke plans to release solidified details of the National Strategy for Trusted Identities in Cyberspace [NSTIC] program starting 11 AM on Tax Day. Technologies and new policies will be demonstrated and discussed to attending press. NSTIC, a federal cyber identity program, drew criticisms earlier this year on initial announcement for similarities to a national identity program. It was deemed 'Real ID for the Internet' by some privacy and civil liberty organizations. NSTIC is a national online authentication program for public use under the oversight of the Dept. of Homeland Security."
Sorry citizen, in compliance with U.S. law, Comcast Cable Broadband now requires that all subscribers identify themselves by their U.S. Internet Identification Number before accessing internet content. Please contact your local office of the Federal Bureau of Investigation (FBI) for more information on how to obtain your U.S. Internet Identification Number. And thank you for choosing Comcast as your broadband provider!
SJW: Someone who has run out of real oppression, and has to fake it.
Thank you for complying, citizen.
Remember, we all love the Computer and those who do not will be removed to a secure detention facility for their safety.
Today is red jello day - all workers must eat all of their red jello. Failure to comply will result in five demerits.
-- Tigger warning: This post may contain tiggers! --
Without TPM this idea is a joke. I think you can see where this is going.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Federal Tax filing date is April 18th this year, not the 15th.
that is absolutely terrifying. why aren't citizens revolting over this? i'm canadian and with the prospects of another conservative government looming (god forbid) our douchebag of a prime minister steven harper would most likely adopt a similar program here, as he loves to lick the balls of the US at any opporunity. so please, strong citizens of the Unites States - STOP THIS.
Nobody asked for, or needs this expect maybe the government wanting track citizens and content companies wanting to track "pirates."
It'll be For The Children. Or to help Thwart Terrorism. But really, it's just to help pay off the MPAA & RIAA, and make the jobs of the vast legions of winged lawyers that much easier.
I am honestly afraid that this is basically going to turn into an internet driver's license. Imagine if you were required to get government approval in order to read a book? This violates all kinds of freedom of speech provisions. I'll wait to see the details before I make a final judgement, but I much prefer being able to remain effectively anonymous online.
Welcome to City 17. You have chosen or been chosen to relocate to one of our finest remaining urban centres...
Drop? As in get rid of, lose, no longer keep?
Is this another US/Everyone else language fail, like "Let's table this idea"?
Ceci n'est pas un sig.
With this system in place, they will know the identity of everyone who posts online, except of course those who have hacked the system so as to appear as someone else. Once this system is in place it will be much easier for the government to gain convictions when crimes are commited. Of course, we will never know how many of the people convicted are the actual criminals, rather than just a victim of a hacker who chose their identity at random.
The truth is that all men having power ought to be mistrusted. James Madison
The government wishes to enhance consumers' privacy by attaching a unique identifier to each and every online transaction? What an excellent example of doublespeak.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Of course, we will never know how many of the people convicted are the actual criminals, rather than just a victim of a hacker who chose their identity at random.
If it's possible to hack an identity, and it's possible to show that it's possible to hack an identity, then the system is mooted and the conviction based on the system is invalid.
You are about to be tagged and taxed. America owns you.
From the NIST NSTIC link in TFA:
# Private: This new "identity ecosystem" protects your privacy. Credentials share only the amount of personal information necessary for the transaction. You control what personal information is released, and can ensure that your data is not centralized among service providers.
# Voluntary: The identity ecosystem is voluntary. You will still be able to surf the Web, write a blog, participate in an online discussion, and post comments to a wiki anonymously or using a pseudonym. You would choose when to use your trusted ID. When you want stronger identity protection, you use your credential, enabling higher levels of trust and security.
So the idea is that this cyber ID can be used to positively identify you, to reduce fraud, right? So what happens when someone gets your cyber ID anyway and goes around impersonating you? Well, now there is extremely convincing evidence that it was you and not the fraudster. Nobody is going to believe someone else got your cyber ID. This is going to make it a lot harder for victims of fraud to get their name cleared.
I had heard the same thing has happened to people who use those credit cards with the embedded RFID chip (or whatever tech they use). Everyone knows how easy it is to clone the magnetic strip, so those are considered vulnerable and if you dispute a transaction that was done that way, the bank will believe you. However, the chip is considered absolutely secure, so if someone made a transaction that appeared to come from the chip assigned to your card, there was no way to dispute it because there is "irrefutable" evidence that you made the transaction.
Just get a cheap VPS in another country and route everything through that.
Go green: turn off your refrigerator.
It will be possible to hack an identity. Whether it will be possible to convince a jury that your identity was hacked is another matter altogether.
There are other problems with this system as well. What happens when the system says that you are not you? Not that someone else is you, just that you are not you?
The truth is that all men having power ought to be mistrusted. James Madison
and remove my PCs from internet connectivity before i subject myself to such a heavy handed draconian measure.
goodbye internet, it was fun while it lasted, but the government is here to help which always takes the fun out of things.
Politics is Treachery, Religion is Brainwashing
Online participatory government, which includes online voting, is a necessary next step to increase the involvement of citizens in their governance. But two basic challenges are introduced with online interaction, which are not managed well with our current Internet: Verification and Anonymity. These problems must be solved with an equal concern for both the government's need for verification and a citizen's right to anonymity. Federated identity solutions meet the government's need, but at the expense of the citizen’s.
1. The greatest threat to federated solutions is subversion by authority. In-person voting is highly distributed and each step of the process is very visible. Even in countries where totalitarian governments are in control, it is very difficult to hide intervention. It would be too easy for a government to invisibly alter results in a federated solution because of its centralized nature. Evgeny Morozov recently argued in "The Net Delusion" that the centralized (read: federated) nature of the current Internet makes it vulnerable to centralized control. As current events show, many governments are just waking up to this fact, while China is already making a science of it.
2. Federated solutions require that the citizen register with a third party, chosen by the government, to manage the citizen's online identity. If the citizen has different criteria for trust than the government, then the citizen cannot avail themselves of services requiring an online identity.
3. Even if there was a choice of identity managers, there is no evidence to suggest that security can be guaranteed by the federated solution provider. There are too many examples of governments, businesses, and even security firms being hacked or inadvertently disclosing sensitive user information.
4. Electronic Voting is only one aspect of participative government: polls, comments, data access, and more innovative uses of online collaboration could all be facilitated with a verifiable anonymous identity. But federated identity solutions tend to not be very extensible. Federated identity solutions typically require adding orders of magnitudes of complexity and risk to use the solution in multiple contexts. For example, using a single identifier over multiple sites will increase the risk of re-identification.
5. Anonymization of votes by federated solutions, gains much of its security by introducing additional complexity. Complexity, in turn, introduces new and unknown vulnerabilities, increases the burden of auditing and oversight, and makes subversion by authority easier to hide.
6. One of the weakest security links in most, if not all federated solutions is Public Key Infrastructure. Not only is PKI susceptible to brute-force decryption (the cost of which is dropping every day), but the biggest vulnerability to PKI is when certificates are used. A certificate issuer, such as the government of China, has a built in backdoor to communications dependent upon that certificate. One of the founders of the Internet, Van Jacobson, calls certificates a disaster. This is a clear example that the interests of the citizen are not a priority. Ignoring certificate warnings or other certificate subversions would allow a third party to pretend to be the site that creates the citizen’s online identity and the citizen would be fooled into providing essential identity information to an un-trusted party.
7. There is a long-term risk that the federated identity be used for more and more purposes than it was intended and becomes necessary to function in society, as social security numbers have. Just as social security numbers have exceeded their use as a worker identifier, a federated online voting identity will be used for far more than government interaction and form a huge dependency on the identity provider.
Granted, federated ide
Sorry, but tax day this year is April 18th.
Am I the only one here flashing back to "True Names"?
My other car is a 1984 Nark Avenger.
We're talking about just another computer system here. It can and will be hacked.
Of course, we will never know how many of the people convicted are the actual criminals, rather than just a victim of a hacker who chose their identity at random.
If it's possible to hack an identity, and it's possible to show that it's possible to hack an identity, then the system is mooted and the conviction based on the system is invalid.
Possibly. Of course, if you take the situation with regards to DUIs, it's illegal in some states (California, I believe) for a defense attorney to even bring up the subject that a breathalyzer is anything but one hundred percent accurate. Said attorney can be up on contempt of court charges if he does. So yeah, it's pretty easy to imagine that the government will prevent any demonstration in court of the fallibility of their system.
The higher the technology, the sharper that two-edged sword.
Of course, we will never know how many of the people convicted are the actual criminals, rather than just a victim of a hacker who chose their identity at random.
The real danger is that this is just another form of automated justice. If a log generated by a server somewhere in somebody's cloud says your guilty ... then you're guilty. Period. End of statement. Face it, courts only rarely disregard computer-generated "evidence", although that's likely only because they don't have the mental tools to make a judgement as to the probability of a computer error, so they simply ignore the possibility. I suspect that most people here on Slashdot are like me, in that they certainly would not want their future, their livelihood or their freedom beholden to the reliability and accuracy of somebody's little black box.
What we have here is Man fading in the shadow of the machine. And I don't like it.
The higher the technology, the sharper that two-edged sword.
A few hours ago we got news about Safari implementing the Do Not Track option, and now we get a this, enforcing tracking for all US citizens.
So, you go online with Safari and then what happens? The world implodes into a singularity? Could be fun to watch (from a safe distance, of course).
Faster! Faster! Faster would be better!
That IIN has already been registered. You do not exist, access denied.
Add a k so it is NSTICK. A barely noticeable nasty little bloodsucker burried into your skin. teehee
What is ironic is that properly implemented, this system can assure a truly kick-ass privacy ecosystem.
One could base it around a smart card. The private key is stored, and a certificate from a trusted CA (county courthouse) states that this key belongs to this individual.
Then start sticking certificates on the key. The user can determine who gets to see the certificates, and who doesn't.
Carded at the bar? The bar doesn't need to know the DOB. The bar finds a certificate stating that this person is over 21 years of age, signed by the state. That is good enough evidence for legal purposes to start slinging the drinks. The bar is legally covered, and the patron does not have to show when they were born.
Criminal record? The potential employer sees a certificate from NCIC stating the bearer has zero crimes on his/her rap sheet. The employer checks to see if this cert was revoked, and it hasn't been. So, even without looking up the user in a database, there is legal proof of no felonies present.
Degree from accredited institution? The employer finds a cert from Miskatonic University stating the person has graduated and has a B. S. Going up the cert chain, the university has a certificate from an accreditor stating that they are in good standing.
Credit report? Vinny's Used Cars gets a certificate from Experion that the person is in the top tier of credit, and no other details are handed out.
Of course, with keys and an active CRL mechanism, if someone was convicted, the criminal record cert stating there is no record would be revoked, or it can be a SLC that is pulled from a certificate server, with an expiration duration of minutes to hours.
I have hopes... if done right, a good smart card would help privacy and security. However, if done wrong, it would rain down hell on anyone in the US.
That is exactly the point I was trying to make. I knew when I finished the post that I had failed to say it as clearly as I would have liked (but I didn't feel like taking the time to fix it).
Actually, a bigger problem with this sort of government centralized identity database is when the data about who you are becomes corrupted. When one database becomes the central arbiter of who you are, how do you get it corrected when it is wrong?
The truth is that all men having power ought to be mistrusted. James Madison
What we don't need is a centralized ID system - that's a recipe for all kinds of fraud of other sorts of abuse (like the recent story about how DVR commercial viewing records are correlated with grocery purchases in order to better target you for advertising).
If the government insists on getting involved in ID infrastructure, then they ought to be providing a means for distributed identification. Define a standardized system that promotes multiple, independent IDs that are domain specific. For example, one ID for facebook, another ID for your bank, another ID for your car registration, a different ID for the tax records on property like your house.
Go ahead and define a protocol for handling the identification and authentication transactions, but require taht each party (both users and service providers) keep the database of IDs on their own systems - not off in some massive cross-referenced database, federal or otherwise.
When information is power, privacy is freedom.
And what if you dont have a smart card?
You have no right to live?
You're absolutely wrong. It is a Republic, a representational government. If you look at the US congress you see the US citizenry. Weak, corrupt, dishonest, self centered, exactly like the people they represent. Don't leave out ignorant and greedy either. I guess you could call it an idiocracy. I looked at the last presidential election with despair. Obama and Biden vs. McCain and Palin. It makes me sick to think about it even now. This is the best either party has to offer us. The best they have. Think on that. Then turn on the TV and watch all the mental drivel that passes for entertainment. People actually watch that stuff. It's depressing.
see: keyloggers
Michael J. Ryan - tracker1.info
This said it was to be unveiled on April 15th -- which this year is *not* tax day.
Due April 16th being a Saturday, Washington DC is celebrating Emancipation Day on April 15th ... making it a holiday ... so tax day got moved. With the 16th and 17th being a weekend, you have an extra 3 days this year to do your taxes, as they're not due 'til the 18th.
Build it, and they will come^Hplain.
And the malware that "bad guy" has on your computer could *never* do something maliciously and permanently corrupting your "profile" ... not to mention the government would *never* violate your civil liberties or impersonate your identity with this system.
Michael J. Ryan - tracker1.info
The more you tighten your grip Tarken, the more star systems will slip through your fingers.
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
That's because only republicans and "right-wingers" and people belonging to the "tea party" can be targeted for this. Remember, Obama ... better than Bush. Hahaha right...you guys are fucked. You bought into the whole Trudeau style charm and are taking it like a champ now.
Om, nomnomnom...
As if that isn't obvious - the Pledge of Allegiance says, to the REPUBLIC, for which it stands...
Then the technical part - the meaning of Republic and Democracy are actually quite ambiguous. Republic essentially means that there is no monarch (or dictator) in charge and to some degree the people rule. A Democracy in the sense used in the United States means that the people chose to rule are elected by the people and everyone gets a vote (which is blurred somewhat because technically people in the US vote for an electoral college and in many states that person is not even bound to vote for the person/party they supposedly represent).
Nobody runs a true Democracy in the sense of the form of government used in ancient Athens - that is an open forum where anyone can show up and all that show up get a vote - the logistics of scale until recently made this entirely impossible (for instance, every person in the US would get a vote on all federal laws), and even now it many be impossible to do it securely.
Wrong - since this is voluntary, they only know anyone that logs in with their identity, which would be moronic for anyone hacking - good hackers always hide behind NAT and preferably also anonymous open proxy servers. Incidentally, IPv6 has the same dream in the name of "security" - assign each person a unique IP based on their computer, disallow NAT, and you can trace every IP back to the source. It is the FBI's dream... except that IPv6 IPs are generated using the MAC address on the router, which can be spoofed... DOH!
Have you ever worked in the Smart Card or Cert industries? This has never been done right, and never will be, due to a reliance on people.
You have to trust that everyone has the certs they're supposed to have, and that no errors in cert deployment happened (wrong cert revoked, inappropriate cert given out, etc). Then there's theft of smart cards, cracking of cards for the private key, control over the card readers (how does the user determine who sees what certs when the person can't even read the data on their card without a reaader -- and not all readers are created equal).
Think of the recent news items where a CA was issuing certificates to an untrusted party, and where MOST CAs were issuing certs for inappropriate zones.
Personally, having dealt with this technology in-depth for over 10 years, I'd rather trust a web of trust (real people) than a CA chain. The CA chain can augment, but it should NEVER replace.
Interesting perspective, coming from someone who doesn't know what a democracy or a republic actually is.
Those who can, do. Those who can't, sue.
If you look at the US congress you see the US citizenry. Weak, corrupt, dishonest, self centered, exactly like the people they represent. Don't leave out ignorant and greedy either.
That's the way people are in general. If not, tell me which enlightened country to move to.
How long do you think this will remain voluntary?
The truth is that all men having power ought to be mistrusted. James Madison
That is exactly the point I was trying to make. I knew when I finished the post that I had failed to say it as clearly as I would have liked (but I didn't feel like taking the time to fix it). Actually, a bigger problem with this sort of government centralized identity database is when the data about who you are becomes corrupted. When one database becomes the central arbiter of who you are, how do you get it corrected when it is wrong?
Yes. That sounds an awful lot like what is happening with the TSA's "no fly" list, actually.
The higher the technology, the sharper that two-edged sword.
> It would seem like an absolute blessing for one with questionable morals to be able to steal identities, obtaining records for advert purposes, etc
This reminds me of how the government has a system in place to warn them when officials are misusing their passport record access to access information about important people--e.g. presidential candidates. Nice of them to design access restriction that only cares when the information about *important* people is accessed without reason.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
FYI, In Australia Telstra 'asks' for your licence to connect your home phone. They make it sound like giving your licence is absolutely required.
Last time this occurred for me, the conversation started to wear a little on the operator -
"What is your licence number?" ... and no issues. No licence required to register a home phone.
"What licence?"
"Car licence"
"Why would I have a car licence?"
"Err. Oh."
"I am requesting for a home phone connection, not registering a car"
"Okay then"
I called back later to ask why they needed a *licence* number for a home phone connection, but no one could actually say.
Although, the government made the law so that you need to identify yourself to register a mobile phone. I do wonder how people who have a licence (don't drink, don't drive, etc) obtain a mobile connection.
Interestingly, with the recent attempt by google - where they demand a phone number to verify you - is completely thwartable. You can buy sim cards for $2 each - as many as you like.
Knowing someone's phone number (ala scraping it via Android / iphone) can be very useful for identifying individuals.. but phone numbers can be changed easily. It's just a pain to do.
I'm surprised that they haven't suggested using phone numbers to identify people.
You have a sick, twisted mind. Please subscribe me to your newsletter.
Like freedom? Don't like being under Big Brother's thumb? Dump the Internet, and catch a ride on the Internet's competition, the *Internot!!
(*Yeah, stupid name...but Alternet and Outernet are taken.)
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Given a benevolent government and benevolent holders of economic power, there would be some sense in a way of identifying real people for real purposes, like making online tax returns or opening bank accounts. In the real world such a mechanism would be massively abused. The government would demand that all online expression be tied to such an identifier, and those with economic power would demand that it be used for all financial transactions, either because it suits their convenience (like with driving licences) or because they support the government's authoritarian agenda. And because capitalism is a 'pay up or piss off' system there would be no other way to access goods and services.
As the subject states, this is the initial roll-out of "Trusted Computing".
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
It's simply had the political name-change game played with it. If at first it doesn't fly, rename it and try again. Rinse & repeat until passage/implementation/adoption.
As has been commented elsewhere here, this is something that will be slowly expanded with government and corporate pressure from initially being voluntary to eventually become necessary to connect to your ISP.
This thing is a tyrant's dream. It *must* be prevented from being implemented. There's no way that much power will escape being abused and corrupted.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
I'm not, nor have been a "tea-partier". I'm a Libertarian. I look not at skill of politicking, but rather out foundational truths. Any government big enough to give you everything you want, is big enough to take everything you have.
It isn't enough that the top 20% of income earners pay something like 70+% of the taxes, the government is now wanting more. And the stupid left wing idiots don't even realize that all taxes are regressive.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Sorry. In the minds of koolaid drinking liberals you're a member of the tea party. Enjoy!
Om, nomnomnom...